On 03/11/2016 09:25 AM, Petr Vobornik wrote:
On 03/10/2016 07:22 PM, Simo Sorce wrote:
On Thu, 2016-03-10 at 19:20 +0100, Pavel Vomacka wrote:
On 03/10/2016 07:02 PM, Simo Sorce wrote:
On Thu, 2016-03-10 at 18:47 +0100, Pavel Vomacka wrote:
Hi,
These two options allow preventing clickjacking attacks. They don't
allow open FreeIPA in frame, iframe or object element.
Will these apply to the whole server or just to /ipa ?
Yes, you are right, these apply to whole server. In this new patch they
are applied only on /ipa.
--
Pavel^3 Vomacka
Thanks,
LGTM
Simo.
VERSION in a header needs to incremented so that the config file is
correctly processed during upgrade.
VERSION incremented.
--
Pavel^3 Vomacka
>From 22768ac624f62ade5fded0780903d04a915b6487 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka <[email protected]>
Date: Thu, 10 Mar 2016 18:32:50 +0100
Subject: [PATCH] Add X-Frame-Options and frame-ancestors options
These two options allow preventing clickjacking attacks. They don't allow
open FreeIPA in frame, iframe or object element.
https://fedorahosted.org/freeipa/ticket/4631
---
install/conf/ipa.conf | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 8d4fea35e9c5aa15a611d90fe005090abb1d8e50..cf10fc815640bcfc56152d342ee70d7d363ba4e5 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -1,5 +1,5 @@
#
-# VERSION 19 - DO NOT REMOVE THIS LINE
+# VERSION 20 - DO NOT REMOVE THIS LINE
#
# This file may be overwritten on upgrades.
#
@@ -71,6 +71,8 @@ WSGIScriptReloading Off
ErrorDocument 401 /ipa/errors/unauthorized.html
WSGIProcessGroup ipa
WSGIApplicationGroup ipa
+ Header always append X-Frame-Options DENY
+ Header always append Content-Security-Policy "frame-ancestors 'none'"
</Location>
# Turn off Apache authentication for sessions
--
2.5.0
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
